How much effort (and why) should consumers put into protecting their credit card numbers?
The more I think about it, the more it seems to me that credit card information is among the least worrisome type of personal information belong to any consumer.
If someone’s credit card number is somehow stolen, my understanding is that he’s legally protected against fraudulent charges, and really, there is literally no piece of personal information on the card except the person’s name (which is already pretty public) and signature (which many people don’t bother with filling out anyway).
Given this, you’d think the consumer doesn’t need to worry about this at all.
But it seems like credit card companies beg to differ.
For example, Bank of America says:
Stay Protected
We block potential fraud if abnormal patterns are detected and let you know if we suspect fraudulent activity.
Citi has a similar wording:
$0 Liability on Unauthorized Charges
You’re completely protected against unauthorized charges on your account. At Citi, you will not be responsible for a charge that you did not authorize, online or otherwise.
Heck, they go even further when advertising their Virtual Card Numbers:
Why use Virtual Account Numbers?
By using Virtual Account Numbers, you get peace of mind knowing that your actual credit card number is never revealed to merchants.
(italics mine)
But… why should a consumer ever bother worrying about these in the first place, when he knows he legally can’t be held responsible for fraudulent charges? What exactly is this new “peace of mind” that he supposedly gets by (say) using features like virtual account numbers that he doesn’t already have? Should a consumer put any effort into worrying about this at all? (Why?)
Not much. With credit cards, there is generally no liability to the cardholder for unauthorized purchases. Random stolen credit card numbers are only worth like $5 on the black market. They’re so ubiquitous. And they’re compromised at the card issuer a lot of the time, so even if you never use the card, and destroy it immediately upon receipt, it can fall into the wrong hands. Card issuers are getting better at identifying fraud and proactively alerting customers, so it can be difficult to get a lot of mileage out of them. I wouldn’t lose any sleep over protecting my credit card. I’m very familiar with stolen credit cards by trade (fraud prevention), and just assume my credit cards are compromised at all times.
I’ve had a card cloned 15 years ago and used to buy over 5k of goods in another country. So the inconvenience of having a card closed and re-issued is quite annoying even though the charges were reversed and I was made whole.
But these days most CC fraud isn’t from a card scanned by a waiter and cloned then used elsewhere. Mostly it is poorly secured databases or point of sale terminal malware. The latter is getting curtailed by chipped cards and the largest source of fraud is now online transactions (so called card not present) where the merchant has your CC number. If their system is breached the bad guys have a wealth of card numbers they sell in an E-bay like site on the dark web. This is where the Citi virtual CC comes in handy. Here’s how it works to protect the bank and the hassles you go through when a card as to be re-issued.
Citi’s virtual CCs let you generate an actual credit card, complete with security code and expiration date. What is unique is that once the virtual CC is used it can only be used subsequently by that same merchant and is declined by any other. You can also set a total limit on what the merchant can charge as well as an expiration date. I use them for all my online accounts because they are, for all practical purposes, immune to the malware that steals CC info. Even if somehow the virtual CC is used before the merchant makes the initial charge that locks in the CC to their account the charge can be reversed without closing your actual card which has a different number.
You can manage multiple Citi virtual CCs and view charge status, close, or adjust limits over time so managing them is quite easy with no risk to your primary account.
If you have any automated, recurring payments attached to the credit card, having the number cancelled can result in major losses – for instance, domain name expiration, VPS deletion, deactivation of mobile or VoIP phone service, etc. Good providers will give you a warning and plenty of time to replace the payment method on record, but I wouldn’t necessarily trust them all to handle it well.
The biggest reason to protect your credit card number is for your personal convenience. Replacing cards, even if there is no immediate dollar-consequence, is time consuming, so there IS a cost unless you do not assign value to your time. Additionally, repeated fraud may cause your financial institution to decide you’re an above-average fraud risk and close your account. This costs more time and credit checks, etc., to apply for a new card.
TL;DR.: Because eventually the CC issuer will pass the fraud bill to the customer, in the form of increased fees and/or taxes.
Even with no liability in the case of fraud, the customer should put effort into security measures with their card.
The expense from fraud may be the sole burden of the credit issuer / bank as per Ben Miller’s answer, but this expense will someday find its way into the customer’s pockets:
Disclosure, i work at a bank.
A banks’ best ability probably is risk management. The ones that were bad at this probably went under in the last four decades. With regulations such as SOx, Basilea, and others, it is impossible for a bank to neglect risk management.
Every expense, including operational losses, a bank incurs will reflect in increased fees / interest rates for the customers. So in the case of a sharp raise of credit card fraud, the banks will soon take measures to reduce these losses. That may mean canceling the cards of high-risk groups of customers, increasing fees or interest.
A particular customer that is often the target of fraud (way more than the average for that customer’s demographic) will probably see his card not renewed or even cancelled, or his limits decreased and/or rates/fees going up.
In many cases, you can be temporarily out of pocket by significant amounts. Even if you then get the money back, there may be difficulties or consequential costs that aren’t covered. For example your card gets cloned and maxxed out while travelling, leaving you without your most effective means to pay for necessities. You’re left paying over the odds to withdraw cash on your debit card (if you can even get enough out at a time e.g. India at the moment) or you have to get money wired to you.
At the same time you can’t really protect your card number. You can’t even keep your card in sight in some places, never mind protect against the card number being displayed/recorded locally by the card machine.
Recovering after a card number has been stolen is a nuisance; you need to wade through determining which charges are and aren’t legit, update the records of anyone who legitimately has your card on file, not have the card available until the replacement reaches you, etc. And you may be on the hook for the first $50 of the loss, if I remember correctly, unless (as mentioned) the bank waives that.
Plus the risk that the card could be the first step in a larger identity theft attempt.
And not everyone is so blase’ about the bank losing money. Those costs get passed on to us, remember. And some of us actually respect our banks or credit unions.
Certainly cards come with some consumer protection, otherwise nobody who thought about this would want to use them. But it’s still worth exercising reasonable care to keep the problem from arising.
I have some experience with this. I have had fraudulent charges appear on my credit card statement and had to change my card number several times, despite (I believe) no carelessness on my part. Every time that this has happened, I have never lost a penny due to fraud on my credit card. The bank has ultimately removed the fraudulent charges in every instance.
Yes, because although I have never lost a penny to fraud, the bank (or the merchant) loses money every time it happens. The $0 liability protects you; the card security measures protect the bank.
Although you shouldn’t end up out any money when this happens, it is an inconvenience. The bank will cancel your card and issue you a new number. It may take a few days for you to receive your new card. If you have another card to use, this isn’t a big deal. If you are out of state the day before you need to check out of a hotel and return a rental car with no backup credit card (as I have been), it is a big deal. (In my case, I had to have the credit card company talk to the hotel to give them the new card number, and they were able to overnight me a new credit card so I could get home. I now make sure I carry a backup credit card.)
In my opinion, it makes sense to be careful what you do with your credit card number, if only to avoid the inconvenience. Don’t type your credit card number into an e-mail message, for example, and only use it on websites that you trust. That having been said, it is not worth it to be paranoid about it, either. No matter how careful you are, eventually you will probably use it at a store that gets hacked, or your card will get skimmed somewhere, and you’ll need to get a new credit card number.
The best way to protect yourself is to make sure that you go over your credit card statement each month and look for any fraudulent charges that the bank didn’t catch.